`exec-env` does not work when encrypted file is in a parent directory

Question

`exec-env` does not work when encrypted file is in a parent directory

ScottGuymer opened this issue 7 months ago · 3 comments

I have a folder structure like

my-app/
├─ subfolder/
│  ├─ script.sh
├─ secrets.enc.yaml

from my-app I can run

sops secrets.enc.yaml
sops -d secrets.enc.yaml
sops exe-env secrets.enc.yaml

all work correctly. But, if I change directory into subfolder then

sops ../secrets.enc.yaml
sops -d ../secrets.enc.yaml

work as expected. However,

sops exe-env ../secrets.enc.yaml

gives an error like

sops exe-env ../secrets.enc.yaml
error: missing file to decrypt

I can't seem to see a reason why exec-env has a different behaviour and does not work as the other commands do.

Answer 1 · 2023-12-10T12:29:10.000Z

I cannot reproduce this. First, none of the exec-env commands you showed actually work:

It's exec-env, not exe-env (I guess that typo happened when you wrote this post and it's not actually what you ran);
exec-env expects two positional parameters, you provided one (the file to decrypt).

If I run sops exec-env ../x.yml /bin/bash I end up in a shell where the values in ../x.yml are available. Same for sops exec-env ../x.yml export. But if I run sops exec-env ../x.yml or sops exec-env ../x.yml /bin/bash -c export or something else where there are not exactly two positional arguments, I get the message you mentioned (error: missing file to decrypt).

So my guess is that you ran something with not exactly two positional arguments to exec-env.

Answer 2 · 2023-12-10T21:14:19.000Z

Apologies, it seems I was being a total moron when I was testing this out..

What I was trying to do was make this work from a package.json...

And I think I got my wires totally crossed when I dropped out of that to a shell when it did not work correctly the first time.

In the cold light of day, and your comments I see the issue.

here is what I had in my package.json

{
  ...
  "scripts": {
    "dev": "sops exec-env ../secrets.dev.enc.yaml concurrently \"yarn start\" \"yarn start-backend\"",
  },
  ...
}

Which yielded the error above...

But adding in some ' seems to do the trick and make it work.

{
  ...
  "scripts": {
    "dev": "sops exec-env ../secrets.dev.enc.yaml 'concurrently \"yarn start\" \"yarn start-backend\"'",
  },
  ...
}

(I dont think the error message itself helped out either 😆)

Answer 3 · 2023-12-10T21:21:02.000Z

(I dont think the error message itself helped out either 😆)

I fully agree! :)